Hardening Firefox to Protect Privacy

Wednesday, August 12, 2015

firefoxprivacysecurity

Your web browser is your gateway to the Internet. Unfortunately, sometimes the gate works both ways. In this guide I will cover some tricks to help protect yourself online. I have been using Firefox configured like this for quite a while and wanted to share this with you. I’ll admit this configuration could probably go further (eg. disabling JavaScript, employing NoScript, disabling remote fonts, etc.) but I feel like this setup provides a good balance between protecting privacy/security and keeping the browser usable.

Disable Third-Party Cookies

Normally, a cookie’s domain name will match the domain name that is shown in the web browser’s address bar. This is called a first-party cookie. Third-party cookies, however, belong to domains different from the one shown in the address bar. These sorts of cookies typically appear when web pages feature content, such as banner advertisements, from external websites. This opens up the potential for tracking the user’s browsing history, and is often used by advertisers in an effort to serve relevant advertisements to each user. You can read more about cookies on Wikipedia.

Third-party cookie settings are available in the Options window’s Privacy panel:

Click the menu button and choose Options.

Select the Privacy panel.

Set Firefox will: to Use custom settings for history.

Set Accept third-party cookies to Never.

Close the about:preferences page. Any changes you’ve made will automatically be saved.

Troubleshooting Tracking Protection

Sometimes Tracking Protection can cause issues with websites. Personally I’ve seen it interfere with third-party login systems and shopping carts. You may choose to disable Tracking Protection for a particular site by clicking on the shield icon and selecting “Disable protection for this site.” Once Tracking Protection is disabled for a site, you will see a shield with a red strike-through. You may choose to re-enable Tracking Protection for the site by clicking the shield icon again and selecting “Enable protection”.

Install uBlock Origin to Block Advertising

You may have heard of AdBlock or it’s kin (AdBlock Edge and AdBlock Plus), but uBlock Origin is currently the best advertising blocker out there. It is designed with performance in mind so that blocking advertising does not make your web browser run slower. In fact, on average uBlock actually makes your browser run better! You can install uBlock Origin from the Firefox Add-ons website.

Enable Additional uBlock Filters

By default uBlock uses a fairly minimal filtering list which is focused on blocking advertisements. In the uBlock Origin settings you can enable some extra filters to resist tracking.

Click the uBlock Origin icon in Firefox window.

Click the uBlock Origin banner in the menu that appears.

Go to the 3rd-party filters tab.

Enable (check) the additional filter lists, provided below.

Once you are done, click Apply changes.

GIF - Enable Additional uBlock Filters

Privacy

These filters help you to evade tracking across websites.

Basic tracking list by Disconnect
Fanboy’s Enhanced Tracking List

Social

The social filters listed below block social buttons and scripts which are frequently used to track you across websites.

Troubleshooting uBlock Origin

Sometimes uBlock will break sites which depend heavily on third-party content. I’ve seen several “log on with Facebook” type services broken by uBlock. When you suspect uBlock may be causing issues you can click the uBlock icon and then click the blue power button to disable uBlock on the site you’re visiting. A reload button will appear that allows you to quickly refresh the page with uBlock disabled.

Install the HTTPS Everywhere Add-on

HTTPS Everywhere is an extension that encrypts your communications with many major websites, making your browsing more secure. Encryption prevents third-parties from listening to your web traffic. After installation you’ll be prompted to restart Firefox.

When Firefox restarts, HTTPS Everywhere will ask you if you want to use the SSL Observatory. Personally, I respond Yes to this prompt as I don’t mind helping the EFF to monitor SSL certificates used on the web. It’s your choice.

Enforce Click-to-Play and Disable Unnecessary Plug-ins

These days it seems like just about every software package out there tries to install a browser plug-in. From a security standpoint, browser plug-ins are the biggest window for malicious software to gain entry to your system. That is why it is a good idea to make sure that only pages which you explictly allow can run plug-ins. This is accomplished by telling Firefox to ask you before activating plug-ins.

In going through plug-ins, I usually set all of them to Never Activate, except the following:

Whenever you visit a page which requires a plugin, Firefox will display a notification along the top prompting you to allow the plug-in to run. If you trust the site, and want to run plugins all the time, click Allow…. From there you can choose to allow the plug-in this one time or allow it always. In most cases I’d recommend allowing the plug-in only once, however for some sites I’ll tell it to Allow and remember (such as YouTube).

Other recommended extensions to protect your privacy:

Security Plus: Security Plus is a browser extension that provides free checking of urls for viruses. It uses up to 64 different antivirus products and scan engines to check for viruses that the user’s own antivirus solution may have missed.

Policy Control (JavaScript, CSS, Media, …): This extension helps you quickly disable and enable different types of resources such as JavaScript, CSS, and Media. The extension can be used to increase privacy as well as saving bandwidth by blocking unwanted contents.